Notes & Warnings

Note Do not use wsbackup to restore information during these steps as it will bring over the old IP address. Any configuration file with the old IP will have issues in the new setup.

Problem Description

What do I do to reinstall the Policy Broker and Policy Database on a machine with a different IP address from the original? How do I use a different Policy Broker for my Policy Server(s)?

Resolution

Changing the Policy Broker in an environment is an involved task as it will require changing every Policy Server in the deployment to read from the new broker. This article has multiple sections for instruction:

Installing Policy Broker and Policy Database

There can only be one Policy Broker in the deployment when using standalone mode. The alternative is to use Policy Broker Replicas that copy the data from the Primary Policy Broker. For more information on Policy Broker Replicas, see Managing Policy Broker Replication.

Important Changing the Policy Broker will bring down services and affect filtering.

Forcepoint Technical Support does not support changing the IP address of a server as there are many files which use this IP address. If the IP address of the Policy Broker must be changed on a Windows server, the product will need to be reinstalled or installed on a separate server or appliance which Technical Support can provide guidance on setup.

If creating a new server

Note all services, IP addresses and logins are present on the existing Windows server. This includes:

SQL server IP address and login.

Active Directory Global Catalog Servers and logins.

Any SIEM solution information including IP and chosen format.

Any Service Accounts being used for services.

IP addresses of all proxies and other tied servers such as Remote Filtering Client servers in the environment.

If other Forcepoint products exist on the server, such as Email or Data, raise a case with Forcepoint Technical Support to discuss what will need to be done to migrate.

On the new server, use the Forcepoint Setup file to install all items that will be retired from the old server. If the installer is not on the server, you may download it from here. When downloading the installer, ensure the version matches your installation.

Ensure Antivirus solutions installed on the machine are turned off and are set to not scan the installation folder or its subfolders (by default, Program Files (x86)\Websense) after installation. See the documentation for the Antivirus solution for instructions.

Ensure read-write permissions on the hard drive where being installed are active on the administrator account used to log onto the server:

Open a Folder Explorer window to This PC.

Right-click the drive where the software will be installed.

Click Properties.

Select the Security tab.

Ensure the administrator account is either present or part of a present group that states Full Control. If not present, click Edit and add Full Control to the user or group, then press OK.

Press OK again to save changes.

If the Windows server was also the Forcepoint Security Manager, EIP Infrastructure will need to be installed first, then Web.

Log into the Manager. On first login, an error will pop up stating to put in the old password for the old server. After putting in the old password, log out and then log in again with the new password.

Note Once this is done, the other Policy Broker Manager can no longer be used and will be locked out as only one Manager is allowed in the deployment. See Forcepoint instance is not authorized to connect to the Policy Broker for instructions on releasing the permissions on the old server's Security Manager if absolutely necessary to check configurations to bring into the new environment.

For Appliances:Note If using Software Content Gateway this option is not available and requires reinstallation of the software to choose a different Policy method.

Version 8.3 to 8.5 Appliance using CLI

This takes approximately 20-30 minutes to complete.

SSH into the appliance C interface IP

Log in with admin credentials

Type: config

Enter the admin password again.

Change the Web Components mode:

Take note of the current Filtering mode, check by typing: show appliance info

Give Feedback

This form submits information to the Support website maintenance team.

To communicate with your Technical Support Representative about a case, please visit the Case Details page and submit a case comment, or call your representative. Comments submitted here will not be added to your case communications.

To file a site categorization request, please to go CSI.forcepoint.com and submit the URL you would like to see recategorized. On the resulting report, click the "Suggest a different categorization" link. Comments submitted here will not recategorize your website.